You are wrong. Apple says there was no "security breach" except their lack of security for the FindMyIphone website caused the breach.
Mainly they exploited the fact that the FindMyIphone website did not throttle the number of login attempts. So you can do it as many times as possible. Apple deflected this by "denying" that any usernames or passwords were leaked, but in reality it is their fault that the accounts were compromised.
Except the FMI flaw is only tenuously linked to the breach - with more evidence pointing away from it (i.e. timeline of how long the photos have been offered for sale, disclosures by other photo-hackers, etc) than toward it.
There was early speculation that the flaw was at fault, but no confirmation from anyone.
Mainly they exploited the fact that the FindMyIphone website did not throttle the number of login attempts. So you can do it as many times as possible. Apple deflected this by "denying" that any usernames or passwords were leaked, but in reality it is their fault that the accounts were compromised.